from the well,-that's-just-great dept

We've noted a few times in the past our serious concerns about Hillary Clinton's hawkish and tone deaf views on cybersecurity, in which she wants the US to go on the offensive on cyberattacking, even being willing to respond to attacks with real world military responses. She seems to ignore the fact that the US has a history of being some of the most aggressive players on offense on such things (Stuxnet, anyone?), and doesn't seem to recognize how escalating such situations may not end well at all.

Of course, her opponent, Donald Trump has been totally incomprehensible on cybersecurity during the course of his campaign. There was his first attempt to respond to questions about cybersecurity in which it's not clear he understood the question, and started talking about nuclear weapons instead. Or the time he took a question on cybersecurity and answered by talking about the latest CNN poll. Or, of course, who can forget his debate performance on the topic, where his key insights were that his 10 year old was good with computers and a 400 lb. hacker may be responsible for the DNC hacks.

It appears that the Trump campaign finally decided that maybe Trump should say something marginally coherent on the subject, and sent him out earlier this week with a prepared teleprompter speech, which Trump actually managed to get through without going too far off script. And... it's basically the same kind of bullshit as Clinton -- pushing for more aggressive and offensive cyberattacks.

“I will also ask my secretary of Defense and joint chiefs to present recommendations for strengthening and augmenting our Cyber Command,” Trump said of his cybersecurity plan. “As a deterrent against attacks on our critical resources, the United States must possess, and has to, the unquestioned capacity to launch crippling cyber counterattacks, and I mean crippling. Crippling. This is the warfare of the future. America’s dominance in this area must be unquestioned, and today it’s totally questioned.”

There was also the kind of hilarious claim that the government has not made cybersecurity issues a priority, which is laughable if you've been paying attention to, well, anything in the "cybersecurity" policy space over the past few years. You could say that their priorities within that realm are screwed up. Or that the government seems to mainly use "cybersecurity" as a cloak to hide NSA surveillance efforts. But to argue that it's not been a priority is clearly false.

And, really, having our own side launching "crippling" cyberattacks (as with Clinton's plan) doesn't seem like the most effective plan. These kinds of things only escalate. Being an aggressor here seems particularly shortsighted. Taking out, say, China's internet, may show strength, but for what purpose? Will it really stop Chinese computer attacks on US infrastructure? Doubtful. Cybersecurity is mostly a defensive game, and it should remain that way. Encrypt everything possible. Disconnect critical infrastructure from the wider network wherever possible, and do everything to stop attackers from getting in, taking down, or mucking with systems.

This hawkish talk about offensive attacks in response to inbound online attacks is probably poll-tested to sound good as "being tough," but it's really stupid actual policy.

from the every-debate-response-basically-a-banned-forum-user's-posts dept

Look at the mess that we're in. Look at the mess that we're in. As far as the cyber, I agree to parts of what secretary Clinton said, we should be better than anybody else, and perhaps we're not. I don't know if we know it was Russia who broke into the DNC.

She's saying Russia, Russia, Russia. Maybe it was. It could also be China, it could be someone sitting on their bed that weighs 400 pounds...

Look, anyone who refers to cybersecurity or cyberwarfare as "the cyber" is probably better off not discussing this. But Donald Trump, in last night's debate, felt compelled to further prove why he's in no position to be offering guidance on technological issues. And anyone who feels compelled to portray hackers as 400-lb bedroom dwellers probably shouldn't be opening their mouth in public at all.

With this mindset, discussions about what "the Google" and "the Facebook" are doing about trimming back ISIS's social media presence can't be far behind. Trump did note that ISIS is "beating us at our game" when it comes to utilizing social media. Fair enough.

But Trump's cybersecurity "plan" isn't actually a plan. What there is of it has to be compiled from a string of random, semi-related sentences. Apparently, the next cyberwar will pit tweens against 400-lb Russians...

I have a son. He's 10 years old. He has computers. He is so good with these computers, it's unbelievable. The security aspect of cyber is very, very tough. And maybe it's hardly do-able. But I will say, we are not doing the job we should be doing, but that's true throughout our whole governmental society. We have so many things that we have to do better, Lester and certainly cyber is one of them.

The problem isn't so much that Trump plainly has no idea what he's talking about or even the coherency to bluff his way through it. No one expects presidential candidates to be experts on every possible issue that might come up. But this has been the government's primary focus in recent years, and multiple high-profile hackings have only intensified that.

The problem is that Trump clearly has no interest in discussing these issues with those who can offer coherent, possibly-useful cybersecurity strategies. The more he speaks, the more he exposes his ignorance. Ignorance isn't unfixable. But Trump has done nothing over the past several months to close these (often significant) gaps in his knowledge. That's the scariest aspect of his presidential run -- the unwillingness to handle the boring but essential work of creating a platform composed of something more than half-formed thoughts and severely misguided jingoism that blames the rest of the world for somehow making America a worse country.

The mitigating factors are these:

Hillary Clinton's response may have been more coherent but hers suggests we should probably engage in more actual war than cyberwar to handle ISIS -- something's that gone oh so well for the past couple of decades. And she was ready to declare cyberwar on Russia after the DNC hacking, an idea that's not only stupid (seeing as the entity behind the hacking is still unknown) but an indication she'd be willing to wield government power to avenge embarassment.

Trump's power in office is likely to be far less than he obviously envisions it. Trump may be a rather extreme form of populist but those popular votes will be about as useful as Facebook likes when it comes to attempts to push his agenda past far more level-headed advisors and legislators.

Either way, voters are faced with choosing between the devil they sort of know and the devil other devils have been distancing themselves from for several weeks. In both cases, we're going to end up with a president who doesn't have the technical knowledge to deal with today's realities.

The industry, according to Silvers, is demanding that IoT security is tackled "from a DHS perspective," meaning a focus on public safety. And then he damned other government departments' efforts with faint praise.

"This is complex stuff, but it's not going to be regulatory or over prescriptive, it's not even going to be highly technical," he argued. "What we're going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public's attention."

Shorter DHS: we're going to take what the private sector and other government agencies have accomplished, print it out on a few pages of DHS letterhead, and call it good. All Silvers is promising is the DHS's insertion into a crowded marketplace of vague ideas, many of them coming from other government agencies.

“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said.

"Companies not being held accountable" sounds like the sort of thing the government would feel compelled to fix with regulation. As Kieran McCarthy of The Register points out, the DHS seems mostly concerned with ensuring it's cut in on the cybersecurity action.

The DHS's current plan seems to be little more than shoving their foot in the door: Silvers could not give a timetable for the principles, or even a consultation plan. He didn't highlight specific areas of concern, or point to the direction the DHS is expected to take.

Perpetually-increasing budgets are on the line here. Every agency wants a piece of the "cyber" pie, whether on the offensive or defensive side. The DHS is no different, even though its track record on cybersecurity is mostly terrible. (Its track record on "homeland" security isn't that fantastic either…) Its Election Cybersecurity task force is composed of state politicians, rather than security experts. And the Government Accountability Office has previously noted the DHS has no plans in place to protect government buildings from cyberattacks on access and control points -- despite having had nearly 15 years to do so.

In front of a group of professionals actually putting together best practices for the Internet of Things, the DHS has announced its willingness to coattail-ride its way into the cybersecurity future -- one promising to be full of government intrusion and steady paychecks. And, like others in the government who feel the government should do nothing more than make demands of the private sector, Silvers encouraged the forum attendees to "nerd harder." Or, at least, faster.

Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.

Thanks, bossman. There's nothing security professionals like more than being told how to do their jobs by government agencies without coherent future plans or the ability to secure anything more than a pension.

from the let's-get-it-done dept

There's been a lot of buzz over respected computer security expert Bruce Schneier recently talking about how someone, or some organization, or (most likely) some state actor, is running a series of tests that appear to be probing for ways to take down the entire internet. Basically, a bunch of critical infrastructure providers have noticed some interesting attacks on their systems that look like they're probing to determine defenses.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.

This article is getting a collective "oh, shit, that's bad" kind of reaction from many online -- and that's about right. But, shouldn't it also be something of a call to action to build a better system? In many ways, it's still incredible that the internet actually works. There are still elements that feel held together by duct tape and handshake agreements. And while it's been surprisingly resilient, that doesn't mean that it needs to remain that way.

Schneier notes that there's "nothing, really" that can be done about these tests -- and that's true in the short term. But it seems, to me, like it should be setting off alarm bells for people to rethink how the internet is built -- and to make things even more distributed and less subject to attacks on "critical infrastructure." People talk about how the internet was originally supposed to be designed to withstand a nuclear attack and keep working. But, the reality has always been that there are a few choke points. Seems like now would be a good time to start fixing things so that the choke points are no longer so critical.

from the evidence-is-for-sissies dept

While it's certainly possible Russia has been busy using hackers to meddle in (or at least stoke the idiot pyres burning beneath) the U.S. elections, we've noted how actual evidence of this is hard to come by. At the moment, most of this evidence consists of either comments by anonymous government officials, or murky proclamations from security firms that have everything to gain financially from stoking cybersecurity tensions. Of course, transparent evidence is hard to come by when talking about hackers capable of false flag operations while obfuscating their footprints completely.

Granted that hasn't stopped people from demanding a cyber or real world attack on Russia, both idiotic ideas for what should be obvious reasons. But with no hard evidence forthcoming, those looking for perceived justice are apparently getting a little punchy. The Washington Post notes that the government continues to conduct an investigation into the DNC hacks, but the whole "obtaining actual evidence before doing anything stupid" thing is clearly frustrating the 1980's action movie sect of the intelligence community:

"The White House’s and some Cabinet officials’ insistence on awaiting the probe’s results has frustrated some officials at the FBI, the Justice Department and within the intelligence community, who favor holding Moscow accountable. The White House’s continued requests for more evidence, said one official, is “to delay — purposely delay” a public attribution."

Again, it's not like you're going to find a goddamned memo linking Russia to the DNC hacks, and any hacker worth his or her salt isn't going to leave evidence of the hack or their ties to a nation state. There's also the ongoing reality that the leading country when it comes to nation state hacking has generally been the United States, making any vocal moral repudiation kind of laughable. Still, that doesn't seem to be stopping folks like Senator Ben Sasse, who insists that we should just skip the whole actual evidence thing and proceed to lambasting Russia for doing what the United States has done for decades:

"Sen. Ben Sasse (R-Neb.), a member of the Homeland Security committee, said President Obama should publicly name Russia and do so before the November election. A failure to do so will only encourage further cyber intrusions and meddling in the U.S. election, he said.

“If the Obama administration has a reason for not clearly attributing these hacks to Russia, it contradicts their own cyber strategy,” Sasse said. “If they’re silent because it would invite response, that suggests that we’re operating from a position of weakness — in other words, we know that we need to aggressively deter cyberattacks, but we are too vulnerable to do it. Neither scenario is reassuring."

But again, what good is publicly shaming Russia for hacking when you've spent decades doing the same thing -- or worse? The only net outcome is you wind up looking like a giant, blithering hypocrite to the global community. The entire article stumbles on like this, quoting various officials on and off the record demanding we do everything from impose sanctions to start leaking Putin's dirty laundry:

"The National Security Agency, for instance, could disrupt a Russian computer system in a way that leaves no doubt who did it and that warns the Russians “to knock it off,” one former intelligence official said. Or the CIA could leak documents that are embarrassing in some way to Russian President Vladi­mir Putin."

Attack! Attack! Who needs evidence? Who needs the moral high ground? Generally, the press-driven public dialogue on cybersecurity and intelligence is so far from what's actually happening in the wild (as intelligence whistleblowers illustrate every few years) that one really should treat press reports on the subject as creative fiction. Combine that with the way nationalism leads to hypocrisy and the fact that most of these "former intelligence officials" don't even know what a gigabyte is, and you've got a recipe for keystone-cops-esque high comedy.

Again, none of this is to suggest that Russia isn't hacking the United States. But to ignore that all nation states are hacking each other all the time is myopic, and suggesting the DNC attack constitutes some rare breach of international ethics is hysterically naive given what we know about the States' own hacking attacks. The real danger here remains the threat of false flag hacking attacks and misinformation campaigns designed to prompt countries to dramatic action without substantive proof. The smarter path is to focus this energy on securing, upgrading and patching government systems to protect against intrusion, even though that's certainly a lot less fun than starting a new world war just because you think hard evidence is for sissies.

from the security:-always-worth-taking-seriously-AFTER-the-damage-is-done dept

The twice-hacked Office of Personnel Management has had little to offer but promises of "taking security seriously" and free identity theft protection for the thousands of government employees whose personal information was pried loose by hackers.

Twice-hacked, because there was one breach the OPM did discover, and one it didn't. While it spent time walling off the breach it had detected, another went unnoticed, leaking enough info on government employees that the CIA began worrying about the safety of agents located abroad.

The government discovered the first hacking in March 2014. A Homeland Security Department team noticed suspicious streams of data leaving its network between 10 p.m. and 10 a.m. — the online equivalent of moving trucks hauling away filing cabinets containing confidential papers in the middle of the night. The government's Einstein intrusion warning system detected the theft.

[...]

For the next few months, the personnel office worked with the FBI, National Security Agency and others to monitor the hacker to better understand his movements. Officials developed a plan to expel the hacker in May 2014. That effort included resetting administrative accounts, building new accounts for users who had been compromised and taking offline compromised systems.

Good moves in the wake of a breach, although I'm sure the thousands affected would have preferred a more proactive approach -- like using available cybersecurity tools to help prevent breaches from occurring in the first place. Those tools are what detected the second, still-ongoing breach that the OPM failed to notice when patching up the first hole.

[F]our people familiar with the investigation said the breach was actually discovered during a mid-April sales demonstration at OPM by a Virginia company called CyTech Services, which has a networks forensics platform called CyFIR. CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network. Investigators believe the hackers had been in the network for a year or more.

Or, as the report puts it, the malicious code-detecting tool "lit up like a Christmas tree" when deployed. Despite this tool finding malicious code in about one out of every five OPM devices, the report notes the OPM didn't think it was worth paying for. It allowed the trial period to expire before deciding the toolset that found the second breach might be a valuable security asset.

Despite housing the personal information of thousands of government employees -- including those with high-level security clearances -- the OPM didn't take security quite as seriously as it claimed to while handing out free credit reporting, post-breach. Jenna McLaughlin of The Intercept points out that the OPM spent less money -- quite a bit less -- than many other government agencies on network security.

The personnel agency spent just $2 million in 2015 to prevent malicious cyber activity, while the Department of Agriculture doled out $39 million. The departments of Commerce, Education, and Labor also spent more in this area. Among the categories of cybersecurity spending delineated by the committee — preventing malicious cyber activity, detecting, analyzing, and mitigating intrusions, and shaping the cybersecurity environment — only the Small Business Administration spent as little as OPM (although Small Business Administration spent more overall on cybersecurity).

The OPM has responded to the report by stating it fails to account for the agency's, post-double-breach cybersecurity awesomeness. And one contributor to the Committee feels there's just not enough buck-passing in the report.

OPM responded by saying the report does not actively reflect the progress the agency has made since the hack, and Rep. Elijah Cummings, D-Md., the ranking Democrat on the House Oversight Committee, insisted the report was flawed, in part because it failed to place blame on or otherwise account for the contractors involved in the agency’s cybersecurity.

That the OPM would want the report to focus on its barn door-closing efforts, rather than its eminent hackability, is understandable. But it's also stupid to insist a report detailing past mistakes not spend more time speculating on the agency's presumably glowing cybersecurity future. The report's title is uncharacteristically (for a Congressional report) brutal and does nothing to spare the feelings of an agency that didn't appear to care until it was too late:

The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation

But there's nothing to be gained by complaining that no one cares about the stuff you're doing correctly now -- not when it's been revealed that an agency that should have known it was, and will always be, a prime target for malicious hackers spent very little on cybersecurity and didn't deploy even the most basic security tools until well after the fact.

from the p@ssw0rd! dept

When we talk password security here at Techdirt, those conversations tend to revolve around stories a bit above and beyond the old "people don't use strong enough passwords" trope. While that certainly is the case, we tend to talk more about how major corporations aren't able to learn their lessons about storing customer passwords in plain text, or about how major media outlets are occasionally dumb enough to ask readers to submit their own passwords in an unsecure fashion.

But for the truly silly, we obviously need to travel away from the world of private corporations and directly into the world of politicians, who often times are tasked with legislating on matters of data security and privacy, but who cannot help but show their own ineptness on the matter themselves. Take Owen Smith, for example. Smith is currently attempting to become the head of the UK's Labour Party, with his campaign working the phones as one would expect. And, because this is the age of social media engagement, one of his campaign staffers tweeted out the following photo of the crew hard at work.

Yes, a staffer for the campaign managed to tweet out the full login and password to the phone banks for the campaign's phone jam. That password was also declared weak by the same internet that had managed to suss it out from the photo as well, leading some to complain that politicians that cannot bother to run organizations that adhere to basic security practices shouldn't be trusted to legislate on those matters in government.

The tweet has since been deleted and the credentials altered, but password security practices probably start with a first step of: don't send out your l/p to the entire known internet-connected world.

Trump apparently feels that this kind of incomprehensible nonsense is working for him, so he doubled down this week. As first noted by CNN reporter Sopan Deb, Trump responded to a question from (Trump supporter) General Michael Flynn about ISIS and cybersecurity with a word salad of complete nonsense:

Michael Flynn: And to stay on ISIS a little bit because this is a really -- I think this is an important topic - it's one of the national security threats that our country faces today. You have described at times different components of a strategy. Military, cyber, financial and ideological. Can you just expand on those four a little bit?

Donald Trump: Well, that's it. And you know cyber is becoming so big today. It's becoming something that a number of years ago, short number of years ago, wasn't even a word. And now the cyber is so big. And you know you look at what they're doing with the Internet, how they're taking and recruiting people through the Internet. And part of it is the psychology because so many people think they're winning. Any you know, there's a whole big thing. Even today's psychology — where CNN came out with a big poll. Their big poll came out today that Trump is winning. It's good psychology, you know. It's good psychology. I know that for a fact because people they didn't call me yesterday, they're calling me today. So that's the way life works, right?

But I think we're doing very well and I really thank the state of Virginia, so many different places have been so incredible. So I thank you very much. But cyber has been very, very important and it's becoming more and more important as you look and a lot of it does have to do with ideology and psychology and lots of other things. You know, we're in a different world today than we were in 20 years ago, 30 years ago. And one of the biggest problems and one of the reasons that we have to knock them out is because the weaponry is so powerful today. You know, in the old days, you could've said, "Well look they have rifles.

We have rifles. We shoot and they have uniforms. We have uniforms." This is a whole different war. The weaponry is so powerful. And we have to beat them over there. We're allowing people to come over here. We're allowing, think of it. Your military people -- we're allowing people to come over here. And you know, I used to watch the migration, and I'd see people with cell phones, I said, "where did they get cell phones?" And some of those people had very horrible things on their cell phones including the ISIS flag. And you say, what are we doing? What are we doing? But we're allowing people to come here and we don't know. Do they turn on us? Are a small percentage of them bad? Because if a small percentage is bad, that's not acceptable. That's not acceptable. We can't take the risk. Just a small percentage can do such damage. So we can't take the risk. So, General, the bottom line is we have to get very tough and we have to get very smart or we're not gonna have much of a country left. I can tell you that right now.

So, uh, wait. What? Apparently Donald Trump's "cybersecurity" policy is "Hey, look at this poll that says I'm winning!" And also "How did ISIS get cell phones?" Meanwhile, the brave Philip Bump over at the Washington Post tried to fact check the only clear factual statement in that rambling mess: that the word "cyber" was just created a few years ago. Of course, that's not true (though I guess that depends on what you consider to be a "short number of years ago"), but I'd argue that the fact that "cyber" predates the birth of one Donald Trump, that the statement isn't all that accurate.

But, really, who gives a fuck concerning when Donald Trump thinks the word "cyber" was first coined? The real question should be on what's the actual policy here, because in those three paragraphs above there's nothing even remotely resembling a policy, or a coherent idea. Clinton's tech policy is a hot mess of emptiness, but at least there's a policy that people can look at and talk about. Trump, on the other hand doesn't even seem to recognize what cybersecurity means and what a policy would entail.

Oh, and as for the claims about how ISIS is "recruiting people through the internet" multiple studies on that have suggested that ISIS's internet recruitment strategy isn't all that effective -- that most recruiting is done through real world networks, rather than virtual ones. But you know which groups really are having success growing their online presence? White nationalists and neo Nazis, with many of them strongly supporting... Donald Trump.

“On Twitter, Isis' preferred social platform, American white nationalist movements have seen their followers grow by more than 600 per cent since 2012,” the study, authored by JM Berger, stated. “Today, they outperform Isis in nearly every social metric, from follower counts to tweets per day.”

[....]

Donald Trump is a prominent subject among white nationalists on Twitter. According to the study, white nationalist users are “heavily invested” in the Republican’s candidacy. Tweets mentioned Mr Trump more than other popular topics among the groups.

So, yeah. I wonder what Donald Trump's "cyber policy" to deal with those folks would be.

from the bombing-for-the-lulz dept

While hacking and "cybersecurity" threats have long been used to justify awful government policy, the entire concept is clearly about to be turbocharged. With the rise in hacking attacks on the DNC, many were quick to call for renewed cyberattacks on Russia despite the fact that hard, transparent proof of Russian nation state involvement remains hard to come by (the idea being unsound either way). But in a speech last week, Presidential hopeful Hillary Clinton took things one step further by suggesting that she'll make it an administration goal to respond to cyberattacks with real-world military force:

"As President, I will make it clear that the United States will treat cyberattacks just like any other attack. We will be ready with serious political, economic, and military responses," she told the attendees, largely made up of veterans and their supporters. "We are going to invest in protecting our governmental networks and our national infrastructure," she continued. "I want us to lead the world in setting the rules in cyberspace. If America doesn't, others will."

There are several things wrong with this narrative. The US government and Western media seem to frequently go out of their way to imply that the United States is an innocent little hacking daisy, nobly defending itself from a wide variety of evil international threats. But as we saw with Stuxnet, the United States is very often the country doing the attacking, often with major negative impact on countries, companies and civilians worldwide. That the US has the moral high ground on cybersecurity is little more than a stale meme, and it needs to be put out of its misery.

And granted, while Clinton was clearly trying to appeal to her veteran audience at the American Legion National Conference (most of whom likely can't tell a terabyte from T-Mobile), America's moral cybersecurity superiority was on proud display all the same:

"We need to respond to evolving threats from states like Russia, China, Iran and North Korea," Clinton said in the speech. "We need a military that is ready and agile so it can meet the full range of threats and operate on short notice across every domain – not just land, sea, air and space but also cyberspace. "You've seen reports. Russia's hacked into a lot of things, China has hacked into a lot of things. Russia even hacked into the Democratic National Committee, maybe even some state election systems. So we have got to step up our game. Make sure we are well defended and able to take the fight to those who go after us."

Again, you'll note that the United States is portrayed as an innocent and noble defender of cybersecurity freedom, when it's the one often engaging in frequently-unprovoked attacks the world over. Of course, Clinton and friends are well aware that the vast majority of the time it's impossible to know where an attack came from, and any hacker worth his or her salt simply doesn't leave footprints. That makes a real-world military or economic response to a nebulous, usually-unprovable threat simply idiotic. You'd assume Clinton knows this and was just doing some light pandering to the audience.

But this rhetoric alone is still dangerous in that it opens the door wide to using hacking -- much like communism and Islamic extremism and numerous "isms" before them -- as a nebulous, endlessly mutable justification for a litany of bad US behavior. You could, for example, covertly hack a government, publicize its hacking response to your hack, using the press to help you justify military action. Given the US and global media's historical complicity in helping governments begin wars with jack shit for evidence, it shouldn't be hard to see how hacking is going to be a useful bad policy bogeyman du jour for decades to come.

Despite some repeated, painful lessons on this front stretching back generations, forcing the government to show its math before it resorts to violence is simply not the US media's strong suit. And with hacking and cybersecurity being subjects the press and public are extra-violently ignorant about, we've created the opportunity for some incredible new sleight of hand when it comes to framing and justifying US domestic and international policy. If history is any indication, by next time this year we'll be blaming everything under the sun on Russian hackers because after all, two anonymous senior government officials said so.

Healthy skepticism will be our ally as we stumble down the rabbit hole. While it's no surprise that Russia, like the United States is deeply-involved in nation state hacking, you'll note that actual evidence linking the Putin Administration to the recent rise in US hacking attacks remains fleeting. Most reports simply cite a single anonymous US government source, or security firms with a vested interest in selling services and products. That's not to say Putin and friends aren't busy hacking the US, but whether a country is responding to similar attacks by the United States (pdf) -- or is actually involved at all -- is rather important to transparently document before you begin trotting out awful new policies or worse, real world bombs.

from the prepare-to-be-memoed-at,-hackers dept

The National Association of Secretaries of State (NASS) [yes, there's an association for everything] has just announced its selections to head up a DHS "working group" tackling "election infrastructure cybersecurity." Like any committee formed in response to a hot-button topic, the appointees are better known for their years of tenure in government positions than their technical acumen, as the ACLU's Chris Soghoian points out.

4 state gov officials, 0 tech experts, appointed to new DHS Election Infrastructure Cybersecurity Working Group.

About the only thing the appointees have going for them is that they fit the description: all four are state-level secretaries of state. Beyond that, there's very little to indicate they're qualified to take on cybersecurity issues.

The working group's president, Denise Merrill, is Connecticut's Secretary of State. At least her bio contains some initiatives loosely-related to the task at hand.

As Connecticut's chief elections official and business registrar, Merrill has focused on modernizing Connecticut's elections, business services and improving access to public records.

[...]

Secretary Merrill has worked to expand voter participation through Election Day and online voter registration. She has also improved Connecticut's democratic accountability and integrity with a series of rapid response processes to Election Day problems.

Connie Lawson is Indiana’s 61st Secretary of State. As Indiana’s Chief Elections Official, she is focused on ensuring the integrity and security for our state’s elections. Since taking office, Secretary Lawson has championed sweeping election reforms, and has led the effort to clean Indiana’s voter rolls.

[...]

Secretary Lawson is not just an advocate for election security. She is also working to modernize elections through vote centers. As a state Senator, Secretary Lawson authored legislation allowing any county in the state to move to the vote center model. As Secretary of State, she has worked to educate voters and elected officials on the cost saving benefits and convenience of the vote center model.

There's not much to be said about the other appointees -- Georgia's Brian Kemp and California's Alex Padilla -- in terms of cybersecurity. However, there's plenty to be said about safeguarding elections. Padilla has been sued twice over alleged election fraud. And Kemp's office mistakenly released the personal information of six million registered voters.

But there's one thing they can all agree on: there's nothing to worry about.

Indiana's voter system is safe from hackers according to the Indiana Election Division.

“We are confident that the security features of our statewide voter registration system protect against hacks described in the FBI alert sent last week,” says Angie Nussmeyer, co-director of the Indiana Election Division.

She explained that Connecticut has perhaps the most decentralized voting and registration system in the country with 169 cities and towns that act as their own districts. Built into that system is an entirely paper based trove of voter cards, ballots, and backups.

“When you go into vote and you go to register on the list, it’s all still on paper so there is no simple database that’s containing all of the information," Merrill said.

The federal government wants to help states keep hackers from manipulating the November election, amid growing fears that the U.S. political system is vulnerable.

But Georgia’s top election official is balking at the offers of assistance — and accusing the Obama administration of using exaggerated warnings of cyberthreats to intrude on states’ authority.

[...]

“It seems like now it’s just the D.C. media and the bureaucrats, because of the DNC getting hacked — they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Kemp, a Republican, told POLITICO in an interview. “And that’s just not — I mean, anything is possible, but it is not probable at all, the way our systems are set up.”

It appears Kemp is worried more about preserving the integrity of his opposition status than he is about protecting the integrity of the presidential election. One day prior to the NASS press release, Kemp was claiming to have turned the position down.

Kemp recently declined an offer by the Department of Homeland Security for cyber security assistance, raising concerns about the federal government’s intrusion.

Fortunately, this lack of technical prowess won't prevent the working group from achieving the DHS's goal, which appears to have little to do with actual cybersecurity.

"Secretaries of State are committed to working with our federal partners to increase awareness of federal government cybersecurity resources and services that are available to election officials," said NASS President Denise W. Merrill, Connecticut Secretary of the State. "We look forward to sharing state best practices and technical advice that will strengthen understanding and collaboration between state and federal agencies."

"Increasing awareness" is one of those goals that sounds lofty, but generally materializes as mass emails and the occasional mandatory Powerpoint presentation most attendees will doze through. Every person listed here is a figurehead appointee to a figurehead working group -- one likely formed in response to a similar, higher-level "increase awareness" mandate handed down by administration officials. The lack of tech experts isn't going to cause much harm because the point of this committee is to be a committee. No one expects any sort of cybersecurity breakthroughs to be generated by something that will do little more one more line to these politicians' bios.